iptables command details and examples

See this configuration on the Internet is also relatively easy to understand, turned around, we look together, I hope that your work can be helpful.
The safety awareness of network administrators is much more important than sloganeering Linux security.

Iptables-f
Iptables-x
Iptables-f-T Mangle
Iptables-t Mangle-x
Iptables-f-T NAT
Iptables-t Nat-x
First, empty the three tables and empty the self-built rules.

Iptables-p INPUT DROP
Iptables-p OUTPUT DROP
Iptables-p FORWARD ACCEPT
The default policy for set input and output is drop,forward for accept.

Iptables-a input-i lo-j ACCEPT
Iptables-a Output-o lo-j ACCEPT
Open the "loopback" first to avoid unnecessary trouble.

Iptables-a input-i eth+-P ICMP--icmp-type 8-j ACCEPT
Iptables-a output-o eth+-P ICMP--icmp-type 0-j ACCEPT
Turn on the ping feature on all network cards for easy maintenance and inspection.

Iptables-a input-i eth0-s 192.168.100.250-d 192.168.100.1-p tcp--dport 22-j ACCEPT
Iptables-a output-o eth0-d 192.168.100.250-s 192.168.100.1-p tcp--sport 22-j ACCEPT
Open port 22 to allow remote administration. (Set a number of additional conditions: the management machine IP must be 250, and must be entered from the Eth0 network card)

Iptables-a input-i eth0-s 192.168.100.0/24-p TCP--dport 3128-m State--state new,established-j ACCEPT
Iptables-a output-o eth0-d 192.168.100.0/24-p TCP--sport 3128-m State--state established-j ACCEPT
Iptables-a input-i eth1-s 192.168.168.0/24-p TCP--dport 3128-m State--state new,established-j ACCEPT
Iptables-a output-o eth1-d 192.168.168.0/24-p TCP--sport 3128-m State--state established-j ACCEPT
Iptables-a input-i eth2-p TCP--dport 32768:61000-m State--state established-j ACCEPT
Iptables-a output-o eth2-p TCP--sport 32768:61000-m State--state new,established-j ACCEPT
Iptables-a output-o eth2-p UDP--dport 53-j ACCEPT
Iptables-a input-i eth2-p UDP--sport 53-j ACCEPT
The above sentence is more headache, I do explain each.

Iptables-a input-i eth0-s 192.168.100.0/24-p TCP--dport 3128-m State--state new,established-j ACCEPT
Allows the 192.168.100.0/24 network segment of the machine to send packets from the ETH0 network card entry. If the packet is a TCP protocol and the destination port is 3128 (because redirect has changed the 80 to 3128.) The prerouting of the NAT table is in front of input of the filter table. , and, again, the state of the packet must be new or established (new represents the "first grip" of the TCP three-segment handshake, in other words, allows the client machine to send a link request to the server.) Established said that through the handshake has been established link), through.

Iptables-a output-o eth2-p TCP--sport 32768:61000-m State--state new,established-j ACCEPT
Let's take a look at this sentence first. Now your packet has entered the Linux server firewall. Squid needs to be accessed instead of you, so at this point the server becomes the client's role, so it is accessed using 32768 to 61000 private ports. (Everyone would be surprised if it should be 1024 to 65535.) In fact, the CentOS version of the Linux definition of the private port is 32768 to 61000, you can check through the Cat/proc/sys/net/ipv4/ip_local_port_range. Again: This is squid as the client to access other servers, so the source port here is 32,768:61,000, not 3128!

Iptables-a input-i eth2-p TCP--dport 32768:61000-m State--state established-j ACCEPT
Of course, the data have to go back.

Iptables-a output-o eth0-d 192.168.100.0/24-p TCP--sport 3128-m State--state established-j ACCEPT
The packet also goes through the server, to the intranet network card. Please note that here, Squid helps you visit the website you want to visit. So in the intranet, your machine is the client role, and squid is the server role. This is different from the process of the external visit just now. So here, the source port is 3128, not 32,768:61,000.

Iptables-a output-o eth2-p UDP--dport 53-j ACCEPT
Iptables-a input-i eth2-p UDP--sport 53-j ACCEPT
Of course, DNS is indispensable.

Iptables-a input-i eth+-P TCP--dport 80-j LOG--log-prefix "Iptables_80_alert"--log-level info
Iptables-a input-i eth+-P TCP--dport 21-j LOG--log-prefix "Iptables_21_alert"--log-level info
Iptables-a input-i eth+-P TCP--dport 22-j LOG--log-prefix "Iptables_22_alert"--log-level info
Iptables-a input-i eth+-P TCP--dport 25-j LOG--log-prefix "Iptables_25_alert"--log-level info
Iptables-a input-i eth+-P ICMP--icmp-type 8-j LOG--log-prefix "Iptables_icmp8_alert"--log-level info
Of course, a bit of logging will help the network administrator.

iptables Basic Command Use example


First, the basic operation of the chain
1, clear all the rules.
1) Clear the rules in all rule chains in the preset table filter.
# iptables-f
2) Clear the rules in the user-defined chain of the preset table filter.
#iptables-X
#iptables-Z
2. Set the default policy for the chain. Generally there are two ways.
1) First allow all the packages, and then prohibit the dangerous package through the fire wall.
#iptables-P INPUT ACCEPT
#iptables-P OUTPUT ACCEPT
#iptables-P FORWARD ACCEPT
2) First prohibit all packages and then allow specific packets to pass through the firewall as needed.
#iptables-P INPUT DROP
#iptables-P OUTPUT DROP
#iptables-P FORWARD DROP
3. List all rules in the table/chain. Only the filter table is listed by default.
#iptables-L
4. Add rules to the chain. The following statement is used for open network interfaces:
#iptables-A input-i lo-j ACCEPT
#iptables-A output-o lo-j ACCEPT
#iptables-A input-i eth0-j acept
#iptables-A output-o eth1-j ACCEPT
#iptables-A forward-i eth1-j ACCEPT
#iptables-A FORWARD-0 eth1-j ACCEPT
Note: Because the local process does not go through the forward chain, the loopback interface lo only acts on input and output two chains.
5, user-defined chain.
#iptables-N Custom
#iptables-A custom-s 0/0-D 0/0-P icmp-j DROP
#iptables-A input-s 0/0-D 0/0-j DROP
Second, set the basic rule matching
1. Specify protocol matching.
1) match the specified protocol.
#iptables-A input-p TCP
2) match all protocols except the specified protocol.
#iptables-A input-p!tcp
2, the specified address matches.
1) Specify a matching host.
#iptables-A input-s 192.168.0.18
2) specify a matching network.
#iptables-A input-s 192.168.2.0/24
3) matches an address other than the specified host.
#iptables-A forward-s!192.168.0.19
4) match a network outside the specified network.
#iptables-A Forward-s! 192.168.3.0/24
3, specify the network interface matching.
1) Specify a single network interface match.
#iptables-A input-i eth0
#iptables-A Forward-o eth0
2) Specify the same type of network interface matching.
#iptables-A Forward-o ppp+
4. Specify port matching.
1) Specify a single port match.
#iptables-A input-p TCP--sport www
#iptables-A input-p udp–dport 53
2) match a port other than the specified port.
#iptables-A input-p tcp–dport!22
3) match the port range.
#iptables-A input-p tcp–sport 22:80
4) match ICMP port and ICMP type.
#iptables-A inout-p Icmp–icimp-type 8
5) Specify IP fragmentation.
Every
Each network interface has an MTU (maximum transmission unit), which defines the maximum size of the packets that can be passed. If a packet is larger than this parameter value, the system divides it into smaller packets
(known as IP fragmentation) for transmission, while the receiving party reorganizes the IP fragments to restore the entire package. This can cause a problem: when the system divides large packets into IP fragmentation transfers, the first fragment contains
Complete header information (IP+TCP, UDP, and ICMP), but subsequent fragments are only part of the header information (such as source address, destination location). Therefore, check the head of the IP fragment behind (like a
TCP, UDP, and ICMP) are not possible. If there is such a rule:
#iptables-A forward-p tcp-s 192.168.1.0/24-d 192.168.2.100–dport 80-j ACCEPT
And at this time the forward policy is drop, the system will only let the first IP fragment through, and the remaining fragments because the Baotou information is incomplete and can not pass. You can use the-FRAGMENT/-F option to specify the second and subsequent IP fragments to resolve the above problem.
#iptables-A forward-f-S 192.168.1.0/24-d 192.168.2.100-j ACCEPT
Note There are now many instances of IP fragmentation attacks, such as Dos attacks, so allowing IP fragmentation to pass is a security risk, which can be limited by iptables matching extensions.
Set the rule match for the extension (for example, the target action is ignored)
1, multi-port matching.
1) match multiple source ports.
#iptables-A input-p tcp-m multiport–sport 22,53,80,110
2) match multiple destination ports.
#iptables-A input-p tcp-m multiport–dpoort 22,53,80
3) matching multiport (either source port or destination port)
#iptables-A input-p tcp-m multiport–port 22,53,80,110
2. Specify TCP matching Extension
Use the –tcp-flags option to filter based on the flag bit of the TCP packet.
#iptables-A input-p tcp–tcp-flags syn,fin,ack SYN
#iptables-A froward-p tcp–tcp-flags all Syn,ack
The first flag in the previous instance that represents a SYN, ACK, fin is checked, but only SYN matches. The second flag that represents all (SYN,ACK,FIN,RST,URG,PSH) is checked, but only a match of SYN and ACK is set.
#iptables-A forward-p TCP--syn
The option-syn corresponds to the shorthand for "--tcp-flags syn,rst,ack SYN".
3, limit rate matching expansion.
1) Specify the number of packets allowed within the unit time, either/second,/minute,/hour,/day, or using the first child.
#iptables-A input-m limit--limit 300/hour
2) Specify thresholds for triggering events.
#iptables-A input-m Limit–limit-burst 10
The packets that exceed this limit will be discarded directly if there are more than 10 packets that have been poured in at a time.
3) Specify both the rate limit and the trigger threshold.
#iptables-A input-p icmp-m limit–-limit 3/m–limit-burst 3
Indicates the maximum allowable number of packets per minute is the limit rate (in this case 3) plus the current trigger threshold burst number. In any case, 3 packets are guaranteed to pass, triggering a threshold of burst equivalent to the number of additional packages allowed.
4) State-based matching extension (connection tracking)
Each network connection includes the following information: Source address, Destination address, source port, destination port, called socket pair (socket pairs), protocol type, connection status (TCP protocol)
and time-out times. The firewall calls this information state (stateful). A stateful packet filtering firewall can maintain a tracking status table in memory, which is more secure than a simple packet filtering firewall with the following command format:
Iptables-m state–-state [!] State [, State,state,state]
Where the state table is a comma-delimited list of 4 types of connection states:
>new: The package wants to start a new connection (reconnect or connect redirect)
>related: The package is a new connection established by an already established connection. Example:
The FTP connection between data transmission and control is a related relationship.
>established: The package belongs to an already established connection.
>invalid: The package does not match any connections, usually these packets are drop.
For example:
(1) Add a rule to the input chain to match the established connection or the new connection established by the established connection. That is, all TCP response packets are matched.
#iptables-A input-m state–state related,established
(2) Add a rule to the input chain to match all connection request packets from the non-eth0 interface.
#iptables-A input-m State-–state new-i!eth0
As another example, for FTP connections you can use the following connection tracking:
(1) Passive (Passive) FTP connection mode.
#iptables-A input-p TCP--sport 1024x768:--dport 1024x768:-M state–-state established-j ACCEPT
#iptables-A output-p TCP--sport 1024x768:--dport:-M
State-–state Established,related-j ACCEPT
(2) Active (Active) FTP connection mode
#iptables-A innput-p tcp--sport 20-m state–-state established,related-j ACCEPT
#iptables-A output-p tcp–output-p tcp–dport 20-m State--state established-j ACCEPT

iptables command details and examples